System Administration Guide: IP Services

ProcedureHow to Verify That IKE Preshared Keys Are Identical

If the preshared keys on the communicating systems are not identical, the systems cannot authenticate.

Before You Begin

IPsec has been configured and is enabled between the two systems that you are testing. You are running the current Solaris 10 release.

Note –

To perform this procedure on a release prior to the Solaris 10 4/09 release, see Example 23–2.

  1. On the system console, assume the Primary Administrator role or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

    Note –

    Logging in remotely exposes security-critical traffic to eavesdropping. Even if you somehow protect the remote login, the security of the system is reduced to the security of the remote login session. Use the ssh command for secure remote login.

  2. On each system, check the privilege level of the in.iked daemon.

    # svcprop -p config/admin_privilege ike
    • If the privilege level is keymat, continue with Step 3.

    • If the privilege level is base or modkeys, increase the privilege level.

      Then, refresh and restart the ike service.

      # svccfg -s ike setprop config/admin_privilege=keymat
      # svcadm refresh ike ; svcadm restart ike
      # svcprop -p config/admin_privilege ike
  3. On each system, view the preshared key information.

    # ikeadm dump preshared
    PSKEY: Preshared key (24 bytes): f47cb…/192
    LOCIP: AF_INET: port 0, (enigma).
    REMIP: AF_INET: port 0, (partym).
  4. Compare the two dumps.

    If the preshared keys are not identical, replace one key with the other key in the /etc/inet/secret/ike.preshared file.

  5. When the verification is complete, return the privilege level to the default on each system.

    # svccfg -s ike setprop config/admin_privilege=base
    # svcadm restart ike